How Botnets are Used in Ransomware Attacks

Botnets, such as Trickbot and Emotet, have been common initial access brokers for ransomware attacks, including some perpetrated by the Conti ransomware gang.
An illustration of a bot herder with their botnet
Share on twitter
Share on linkedin

A botnet is a network of devices that have been infected with malware, allowing a threat actor to control them. However, instead of completely taking over the devices, the individual orchestrating the attack, known as the bot herder, will use a portion of the computer’s bandwidth to run an activity in the background without the victim’s knowledge. This tiny fraction of traffic from one computer wouldn’t have much impact but take over a network of computers and put them all to work towards a collective goal, and you’ve got yourself an army.

The bot herder has access to thousands of machines, and that access is valuable. They can use the network themselves to make money through ad fraud, banking trojans, or mining cryptocurrency. But they can also make money selling their access to cyber criminals interested in DDoS attacks or ransomware delivery.

Conti, Trickbot, and Emotet

Both government and private industry have a vested interest in disrupting and ending botnet operations. Two of the most prolific recent botnets responsible for the distribution of ransomware, Trickbot and Emotet, have been taken down in the last few years. Microsoft and partners took down Trickbot and a Europol collaboration took down Emotet. Botnets have extensive measures in place to avoid detection, but uncovering the command-and-control infrastructure can expose the location of the servers, allowing seizure by law enforcement.

In Trickbot’s case, Microsoft was granted a court order, through the filing of a copyright claim, to disable the IP addresses and suspend all services to the operators. Regardless of how they’re disabled, just like many of the most infamous ransomware gangs, botnets have a habit of reappearing. Sometimes botnets reappear with different branding, and sometimes the operators just start a new operation or join forces with other existing groups. After their respective takedowns, Trickbot and Emotet both re-emerged and began collaborating, with Trickbot malware dropping a loader for Emotet on its infected devices. In leaked information that came to light in the wake of Ukraine/Russia hostilities in 2022, the two were also linked to the Conti ransomware gang, which was noted as using the botnets for access to computers to deploy their malware.

Fighting Back Against Botnet Ransomware Attacks

Today’s threat actors are collaborating, making it easier than ever to launch a ransomware attack. Initial access brokers, such as bot herders, provide a point of entry, while ransomware-as-a-service providers run the infrastructure needed for deployment and payment collection.

Companies must also collaborate if they hope to protect themselves from the growing ransomware business. RH-ISAC provides a platform for collaboration among cybersecurity professionals from across the retail, hospitality, and travel sectors. Members can share threat intelligence such as malware trends and phishing attempts to help the industry stay ahead of developing TTPs. Learn more about RH-ISAC membership.

Ransomware Resilience Planning Guide

Get actionable strategies to reduce your organization's ransomware risk.

More Recent Blog Posts

RH-ISAC Cyber Intelligence Summit Sept. 2021 Dallas, TX

Register for Summit

Our biggest event of the year is back in person on September 20-21! Join your RH-ISAC peers in Dallas for this annual two-day conference featuring interactive, practitioner-led discussions, breakout sessions, and keynote presentations.